|
Posted by mcaissie on October 17, 2005, 2:50 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi all,
The goal here is to establish a lan2lan vpn from a central Noc to multiple
Sites.
The multiple sites may have conflictual IP addresses.We don't control the
VPN devices
at the remote sites and their expertise may vary from one site to the
other.
To accelerate the tunnels implementation, we would like to minimise the
tasks and
the complexity of the configuration at the remote sites. And one step would
be to eliminate
the NATing at the remote sites.We would like to have a solution where all
nating
would be done in the central NOC PIX, and leave the sites with only the
IPSEC configurations.
The problem is if you create a static to Nat a site subnet, you cannot
create another static
for another site using the same subnet.
To avoid this possible conflict we are looking at a possible 2 way
policy-nat
configuration, but i am not sure if it would work. Eventually i gona
retrieve a
couple of PIX in the lab to test it , but in the mean time i would
appreciate your
input on this.
So we have a NOC, subnet IP is NOC
We have a remote site, subnet IP is SITE
Site and Noc will agree on a subnet to mask the NOC IPs to the Site.
This will be X-NOC.
The Noc will use a X-SITE subnet to mask the Site IPs .
From the Site the device will see the Noc as X-NOC , so the crypto acl at
the site would look like this
" access-list crypto permit ip SITE X-NOC"
Now in the Noc PIX, I would need to have a crypto acl like this
"access-list cryptosite1 permit ip X-NOC SITE"
The masking of NOC would be done based on NOC to X-SITE traffic
access-list masknoc permit ip NOC X-SITE
static (inside,outside) X-NOC access-list masknoc 0 0
And the masking of the SITE would be done based on SITE to X-NOC traffic
access-list masksite permit ip SITE X-NOC
static (outside,inside) X-SITE access-list masksite 0 0
I am trying to figure the life of a packet and i get stuck.
Let say a PC in the Noc calls a PC at the Site, we have a packet with a
Source/ Destination of NOC / X-SITE , this trigger the first static
so now the packet becomes X-NOC / X-SITE but will the other static
translate X-SITE to SITE at this time ? I am not sure that
the crypto will ever be triggered .
I hope i am clear enough , your comments are welcomed, on this
configuration
or on other ways to accomplish the initial goals.
thanks
Site 1
IP = SITE
Crypto acl = access-list crypto permit ip SITE X-NOC
Noc
IP = NOC
Policy Translated IP = X-NOC (varies for each site)
Policy access-list = access-list masknoc permit ip NOC X-SITE
Policy NAT = static (inside,outside) X-NOC access-list masknoc 0 0
Policy Translated IP for Site = X-SITE (varies for each site)
Policy access-list = access-list masksite permit ip SITE X-NOC
Policy NAT = static (outside,inside) X-SITE access-list masksite 0 0
Crypto acl = access-list cryptosite1 permit ip X-NOC SITE
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map